Information Technology

Lurking on underground forums has revealed insight into the methodology behind cyberattacker targets — as well as what criminals say to do if, or when, they are caught. 

Released on Monday, research conducted by the Digital Shadows cybersecurity team on dark web forums explored the discussions between black hat hackers and the exchanges made in how to avoid jail, what do to when they are on law enforcement radars, and the bullish nature of many when it even comes to the prospect of arrest. In February, in an interview between a lone LockBit ransomware operator and Cisco Talos, the cybercriminal said that the “best country” to be in for this occupation is Russia, but “underappreciation and low wages drove him to participate in unethical and criminal behavior.” While trawling Russian-speaking underground forms, Digital Shadows was able to obtain further insight into this idea, in which law enforcement “will not care” if the US or EU are targeted — but the moment any former Soviet Union nations are involved, they will “hunt you down.” When it comes to foreign travel, forum users believe this apparent peace deal only lasts as long as you don’t cross the border. One poster said: “[Cybercriminals] live peacefully in Russia, decided to go on holiday abroad — and that’s it, they don’t even make it out of the airport without the cuffs on.” Operational security (OPSEC) practices are also widely discussed, with forum users exchanging ways to avoid arrest and stay anonymous. Numerous threads mention everything from virtual to physical security options, but one common topic of discussion, in particular, is widely debated.  Hard drive encryption or deletion is sometimes cited as a way to stop law enforcement investigations in their tracks. However, not every forum user is so sure, with one saying, “if it were all as simple as that then major cases would never be solved.”

Early mistakes in criminal careers also appear to be causing some sleepless nights, with poor OPSEC when starting out being a difficult issue to remedy. “Many a threat actor’s downfall stemmed from poor OPSEC practices when they first decided to don the black hat, such as using a spouse’s email address, forgetting to mask their IP, or letting their real name and address slip,” the researchers say. “And once you realize your mistake, it might be too late.” In addition, discussions have taken place over collaboration. While many believe that other dark web forum users will “sell out” each other, others say that forging ties with others in the criminal industry can push threat actors up the pecking order.  Digital Shadows noted that allegations are flying thick and fast that English-speaking criminal forums and marketplaces are becoming little more than police honeypots. Some forum users said that “sooner or later,” law enforcement will obtain information on them, and others relayed concerns over potential police violence on arrest. Others appear, at least online, to have a rather bullish attitude to the prospect of prosecution at all. Laws worldwide are still catching up with the evolution of cybercrime, and for some, corrupting law enforcement and saving enough to pay bribes and avoid prosecution is a possibility. As one forum user quipped, “a good lawyer knows the law, a better one knows the judge.”  “Cybercriminals, just like the organizations they target, must always have one eye on their security practices,” the researchers say. “There are so many things for them to worry about and ways they can slip up..It must be pretty tiring. Threat actors must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. ” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

UK taxpayers have been connected to a reminder system used by councils that potentially exposed their sensitive data online. 

An investigation conducted by The Register found that a debt-chasing service “freely exposed to the public thousands of taxpayers’ names, addresses, and outstanding debts” via bulk SMS messages sent to remind residents of unpaid bills. The system was developed by Telsolutions who acted on behalf of an estimated dozen UK councils.  Debt defaulters were sent text message reminders containing a URL leading to a basic web page showing a council resident’s personal data and outstanding bill. However, if you changed alphanumeric characters contained in the web address, this could reveal records belonging to others — including those living in different council areas.  The publication says that no authentication or security checks were in place in a few cases. While some councils did require a postcode as a verification method, this is far from enough to stop a determined individual from collecting private, sensitive information on a target.   Telsolutions told The Register they have since resolved the issue and have “further increased security and introduced new measures to prevent malicious intent.”  A number of the councils contacted said they took security “seriously” and while one said their Data Protection Officer had been informed, others either pointed to the fact the majority of links are never accessed, or that they were now investigating the issue. 

In 2019, Gateshead council admitted to a slew of data breaches including when a list containing the details of 53 individuals who owed the council money was sent to a resident and the upload of medical data to an online forum. Last week, Birmingham council allegedly exposed the details of children deemed vulnerable by accidentally uploading them to a taxpayer service.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cloudflare has debuted a new zero-trust tool designed to help protect remote employees from cyberattacks. 

When the COVID-19 pandemic forced many of us out of the traditional office and into hastily-created home setups, instead, we — and the organizations we work for — were suddenly required to rely on either personal or company on-loan devices to continue performing our jobs. When it comes to cybersecurity, this means that the potential attack surface for threat actors increased due to remote and end-user devices that needed to connect to corporate resources.  According to Reboot Online, 44% of businesses in the UK alone have experienced a security breach since stay-at-home orders were imposed, a 20% increase year-over-year.  Working from home, whether as a permanent option or as part of hybrid models, may become standard, and so the corporate world needs to consider how best to keep their networks protected whilst also catering to a remote workforce.  To this end, Cloudflare has contributed a new zero-trust solution for browser sessions. On Tuesday, the web security firm launched Cloudflare Browser Isolation, software that creates a “gap” between browsers and end-user devices in the interests of safety. Instead of employees launching local browser sessions to access work-related resources or collaborative tools, the service runs the original, requested web page in the cloud and streams a replica to the end-user. 

Cloudflare says that tapping into the firm’s global network to run browser sessions circumvents the usual speed downgrades and potential lag caused by typical, pixel-based streaming.  As there is no direct browser link, this can mitigate the risk of exploits, phishing, and cyberattacks. In addition, Cloudflare automatically blocks high-risk websites based on existing threat intelligence.  The solution has now been made available through Cloudflare for Teams.  “Everyone uses a web browser, and that makes it the perfect target for attackers all over the world,” commented Matthew Prince, Cloudflare CEO. “We don’t believe that the most effective protection to these attacks should be restricted to a handful of large companies with huge IT teams. Cloudflare Browser Isolation can be deployed by anyone in just a few clicks and automatically protects against the majority of threats people face online.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are sending over three billion emails a day as part of phishing attacks designed to look like they come from trusted senders. By spoofing the sender identity used in the ‘from’ field in messages, cyber criminals attempt to lure potential victims into opening emails from names they trust. This could be the name of a trusted brand like a retailer or delivery company, or even, in more sophisticated attacks, the name of their CEO or a colleague.

More on privacy

These phishing attacks might sound simple, but they work – and that’s why so many of these messages are distributed by cyber criminals. And according to a report by email security company Valimail, over three billion spoofing messages are sent every day, accounting for 1% of all email traffic. SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  One of the reasons why email remains such a common attack vector is because of the rise of remote working. Employees are dealing with an increase in corporate communications being conducted over email, while the reality of working from home means that it’s harder for people to ask if an email is legitimate. All of this combined means that phishing emails are putting people and organisations at risk of cyberattacks, including credential theft, malware and ransomware. However, it’s possible for organisations to help defend against spoofed emails by applying DMARC (Domain-based Message Authentication, Reporting & Conformance), which is an email authentication protocol that, when implemented, means only authorized senders can send email using the domain, preventing spam emails being sent. It also contains a reporting function for ongoing improvement and protection.

DMARC enforcement helps prevent spoofed emails from being delivered in the first place, with analysis by Valimail finding that 1.9% of email from domains without DMARC enforcement is suspicious, while just 0.4% of email from domains with DMARC enforcement is suspicious. SEE: Cybercrime groups are selling their hacking skills. Some countries are buying Ultimately, domains without DMARC applied are almost five times more likely to be the target of phishing emails than domains that do have it applied, so organisations can help make the internet a safer place by protecting domains with it. “Privacy laws already exist in Europe and parts of the United States, and if a company does any business in those areas, a DMARC policy at enforcement is essential,” said Alexander García-Tobar, CEO and co-founder of Valimail. “By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issued, confidential information is obtained and reputations sink.”

MORE ON CYBERSECURITY More

Shell has disclosed a data breach involving stakeholders that exposed personal information records. 

The oil and gas company said an unknown threat actor managed to gain access to “various files” during the time of intrusion which included personal data and information “from Shell companies and some of their stakeholders.”Shell has not disclosed how many individuals are involved in the security incident beyond saying that impacted parties have been contacted, alongside law enforcement agencies and regulators.  The firm added that it does not appear core IT systems have been compromised, as the route of access was isolated from the rest of Shell’s central infrastructure.  However, the data breach has been connected to Accellion’s File Transfer Appliance (FTA), enterprise software used to transfer large files — and a solution linked to a string of security incidents in December 2020 and January 2021.  Accellion FTA, a legacy product that has now been formally retired, contained a zero-day vulnerability that was patched within three days of the vendor being made aware of active attacks utilizing the security flaw.  However, thousands of organizations worldwide rely on the appliance, leading to a string of attacks against high-profile corporations and government entities. 

The first case was reported by the Reserve Bank of New Zealand. Organizations including the Australian Securities and Investments Commission (ASIC), Singtel, and Qualys soon followed.  FireEye’s Mandiant team was pulled in to conduct an assessment of the Accellion FTA vulnerability, finding two further vulnerabilities — albeit accessible only by authenticated FTA users — and all bugs, as of now, have been resolved in FTA. If systems remain unpatched, however, they also remain vulnerable to exploit.  The companies said in February that threat group FIN11 has been connected to the FTA zero-day exploit activity. “Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” Accellion said. “Within this group, fewer than 25 appear to have suffered significant data theft.”CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have now been reserved to track associated vulnerabilities. Users of Accellion FTA are recommended to switch to Kiteworks.  “We will continue to monitor our IT systems and improve our security,” Shell says. “We regret the concern and inconvenience this may cause the affected parties.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Embracing innovation comes with risk. Exciting product launches don’t always go according to plan – and when that happens, you need to act quickly, learn from it and find new ways of making a difference.That’s certainly been the case for Graeme Hackland, CIO at Williams F1, whose team had to pull a recent plan to launch its new FW43B racing car using virtual reality, when leaked images appeared online before the scheduled reveal.

Innovation

But this episode won’t put Hackland off trying to innovate. As the person responsible for IT risk at Williams, he says he will not be saying to his board to steer clear of emerging technologies.SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)The firm is already investigating how it might take advantage of artificial intelligence to help improve decision-making processes. There are also plans for more data-led services that will help boost fan engagement. Hackland, in short, is keen to keep on innovating – so long as the risk to the business is kept in check.”When I get the opportunity at the next board meeting, I’ll be encouraging us to stay brave and to keep embracing new technology in this way. The digital transformation journey we’re on now is not just about our internal systems. For us, it was always about fan engagement as well,” he says.Williams is far from alone in embracing tech-led innovation. All companies have had to embrace digital transformation during the past 12 months – whether that’s in terms of establishing remote working, moving to e-commerce or using new technologies to keep socially distanced customers engaged.  

What’s more, that preparedness to try new things isn’t going anywhere soon. Gartner says creative thinking will continue to be crucial in the post-COVID age. Companies that balance embrace innovation effectively will be most likely to gain a competitive edge on their competitors. The key message from Hackland is that, in age of almost-continual digital transformation, CIOs and their organisations must be prepared to try new things. Yes, things can go wrong – but the key to success is being prepared to embrace innovation and to learn lessons when issues arise.”In Formula 1, every time we make a mistake, we learn from it, we do an after-action review: why did that happen and how do we make sure it doesn’t happen again. I think a lot of organisations are starting to do that,” he says.Evidence would suggest that this kind of review process is absolutely critical. As the demand for innovative digital projects quickens, so do the chances of failure. Boston Consulting Group research shows just 30% of digital transformations succeed in achieving their objectives. That kind of failure rate helps to explain why executives in many large corporations are reluctant to advocate for what they perceive to be risky projects. The Harvard Business Review says they quash new ideas in favour of marginal improvements, cost-cutting and safe investments. Hackland: “I’ll be encouraging us to stay brave and to keep embracing new technology.”
Image: Williams F1
Hackland recognises that it can be difficult for CIOs to gain funding for innovative projects, especially in organisations with competing priorities. But when there’s a chance to try something new, the opportunity must be grabbed – not just in terms of the potential benefits it might bring to the company itself but also in terms of professional development.”You’re learning and your people are learning,” says Hackland, referring to the importance of experimentation. “They’re engaged in something new, they’re not just doing lights-on, which I think is really important. They’re getting to play with new technologies.”Which brings us back to Williams’ recent foray into virtual reality, which was one such attempt to try something new. The intention was to allow users of a bespoke VR app to view and manipulate the new car in its livery in 3D. The app, which was created by an external agency, was made available for fans to download on the Apple App Store and Google Play Store.However, when pictures of the FW43B started appearing online, the team couldn’t be sure if only the image data for the new car had been unpacked or whether the app itself had been compromised.”We didn’t know if there had been a compromise – we just didn’t know it the app was safe, and so you just couldn’t deploy it,” says Hackland. “If the app had been compromised, and we’d delivered it to our fans, I couldn’t have lived with that decision. So the decision was made to pull it.”Hackland says the company’s subsequent investigations have shown that the issue was a “data-loss incident” rather than someone hacking the app. Everything connected to the incident took place outside the team’s enterprise network.”This was not about someone getting into our network and taking our data. It’s the first time we’ve done something like this. So yeah, we clearly missed some things that next time – and I hope there is next time – we’ll learn from,” he says.”It was just unfortunate. An error was made that exposed the data. We’re still investigating and looking at it, and we’ve got a couple of cybersecurity partners looking at it, too.”Just as Hackland and has team have learnt some important lessons about embracing innovation, so other business leaders will have to ensure the right policies, processes and partners are in place to embrace new ideas in a carefully controlled manner.And rather than showing the downsides of working with external third-party suppliers, Hackland says the incident shows the importance of IT risk management and the role of trusted partners in trying to help reduce the ongoing cybersecurity threat.”I’ve been responsible for IT risk at two racing teams now for the past 15 years, but I don’t claim to know everything. The risk landscape changes constantly, which is why we partner with these organisations,” he says. More

A former IT contractor with a grudge has been sentenced after mass-deleting the majority of a company’s Microsoft accounts. 

Deepanshu Kher was sentenced to two years in prison for breaking into the network of a Carlsbad, California-based firm after being fired potentially in connection to a consultancy job the firm hired him for. Kher worked for an IT consultancy firm from 2017 through May 2018. This company was recruited to help a client with migration to a Microsoft Office 365 environment and Kher was selected to assist.  The client was not pleased with Kher’s performance and once this feedback reached head office, the IT admin was sacked. A month after being fired, in June 2018, Kher returned to India.  However, two months later, Kher decided to exact revenge on the Californian company, according to the US Department of Justice (DoJ). The 32-year-old infiltrated the firm’s servers while outside of the US and deleted over 80% of employee Microsoft Office 365 accounts, with over 1,200 out of 1,500 wiped in total.  As staff members were suddenly unable to access emails, contacts, calendars, stored documents, as well as Microsoft’s Virtual Teams remote management platform, they were unable to work.  The company’s entire operations ground to a halt for two days. The VP of IT said, “In my 30-plus years as an IT professional, I have never been a part of a more difficult and trying work situation.”

IT issues persisted for a further three months after the cyberattack and the FBI was informed.  Kher was arrested while flying from India to the US on January 11, “unaware of the outstanding warrant for his arrest,” US prosecutors say.  US District Court Judge Marilyn Huff charged the Delhi, India resident with intentional damage to a protected computer, a crime which can lead to up to 10 years in prison and a $250,000 fine.  Kher will face two years behind bars and three years of supervised release, but must also pay $567,084 in damages — the bill his victim organization had to shoulder to restore its systems.  “The victim company’s swift notification and cooperation with the FBI contributed greatly to the successful outcome,” commented Suzanne Turner, Special Agent in Charge of FBI’s San Diego Field Office. “Living in a digital world, it is important to get ahead of the threats, be proactive and predictive in the way we approach cybersecurity.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Information Commissioner and Privacy Commissioner’s office, the OAIC, has asked for the inclusion of additional privacy measures in the Bill that would allow the sharing of data held by government.The data reforms presented in the Data Availability and Transparency Bill 2020 are touted by Minister for Government Services Stuart Robert as being an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.”Proposals to share data containing personal information will necessarily carry certain privacy risks, including the loss of control by individuals and the potential for mishandling of personal information,” the OAIC said in its submission [PDF] to the Senate Finance and Public Administration Committee currently probing the two Bills.”Privacy risks can be heightened in relation to government-held personal information, which is often collected on a compulsory basis to enable individuals to receive a service or benefit or is otherwise required by law.”The submission raised concerns that such data is often sensitive or can become sensitive when it is linked with other government datasets.It, therefore, has recommended the inclusion of additional privacy measures that would provide further protections for individuals and clarity for data scheme entities about their privacy obligations.

“The OAIC considers that these additional measures are necessary to ensure the proportionality of the scheme and to achieve the trust and confidence of the community, which is vital to the success of the DAT scheme,” it wrote. In a discussion paper in September 2019, the federal government tweaked what it proposed the year prior by removing a fundamental element of privacy — consent.The government’s position on consent has since become more nuanced, with the Bill currently stating that any sharing of personal information is to be done with the consent of the individuals, unless it is unreasonable or impracticable.”While the OAIC acknowledges the important privacy safeguards that have been included in the DAT Bill, there are other key privacy protective measures that should be included to further mitigate the risks posed by sharing personal information,” the OAIC said.Additionally, the OAIC is concerned about the proposed exemption of scheme data from the Freedom of Information Act, which the OAIC considers runs counter to the objects of both the FOI Act and the Data Availability and Transparency Bill.It said this would effectively exempt any data that government agencies share with each other through the scheme. “The OAIC is concerned that the proposal is unnecessarily broad and risks misalignment with the objects of the FOI Act to provide a fundamental legal right to access to documents,” the submission continued. “The OAIC is also concerned that this proposal reduces the information access rights of individuals, impacting on their ability to seek access to their own personal information and understand how agencies are using this information.”As a result, the OAIC recommended that the proposed consequential amendment to the FOI Act be removed, and that data shared by agencies under the scheme remains subject to the usual FOI processes and potential exemptions under the FOI Act. Elsewhere, the OAIC recommended that all accredited users – including Commonwealth bodies — are subject to the same accreditation processes and criteria as other entities seeking to become accredited under the Data Availability and Transparency scheme. Further, the OAIC has asked for definitions in the Bill to be consistent with those in the Privacy Act 1988, for example, the definition of “de-identified”. It also recommended that additional protections be included in the Data Availability and Transparency Bill to ensure that the “exit mechanism” minimise the risk to individuals’ privacy and is only used in specific and confined circumstances.Digital Rights Watch is similarly concerned that the Bill is moving ahead in parallel to the review of the Privacy Act, which the Attorney-General’s office is currently heading. In its submission [PDF] to the committee, the organisation said as the draft text stands, the Bill “threatens to further erode the limited protections enshrined in the existing Privacy Act”.”The Bill would make it easier for government agencies to share data containing personal information with each other, allowing any government entity to access any and all the information the government holds about an individual,” it explained. “The draft also permits the government to share data with accredited third parties and researchers. In absolute terms, the Bill almost constitutes an amendment of the Australian Privacy Principle 6 by redefining and altogether eliminating the limitations and protections the principle currently imposes on the data custodians.”Digital Rights Watch has also asked the Bill restrict the access of accredited parties from the single-application full access system proposed; define consent in line with international standards as presented under the GDPR, as one example; and maintain liability for data breaches, ensuring also a resolution mechanism for individuals who may want to seek redress if their data and privacy is compromised through the scheme.Also making a submission [PDF] was the Australian Privacy Foundation (APF), which considers the Bill as possessing weak legitimacy, that it erodes trust, and that it provides uncertain benefits alongside a history of underperformance.”The foundations of the proposed regime are weak, the superstructure is weaker,” APF wrote.”The proposed regime does not provide the necessary ‘strong privacy and security foundations’. Instead it embodies values of bureaucratic convenience that are antithetical to strong privacy protection.”MORE FROM THE OAIC More